Microsoft Security | Intune | Enrollment
Registering devices with Intune for management and policy enforcement
this matter is resolved
you need to remove 2 keys and set UseTPM with value of 2
BitLocker Drive Encryption Failure
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 77%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Juan
5
Reputation points
I have a device managed via Intune and silent BitLocker encryption is the only thing showing as non-compliant.
In review the device, BitLocker encryption has failed, i see it throws out this prompt:
I went through the device local GP settings and all settings are as they should be per below:
in review event logs I get the following:
summarize
Event ID: 834 BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.
Event ID: 778 The BitLocker volume C: was reverted to an unprotected state.
Event ID: 851 Failed to enable Silent Encryption. Error: The Group Policy settings for BitLocker startup options are in conflict and cannot be applied. Contact your system administrator for more information..
Event ID: 835 BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority has invalid structure. The event is expected to be an EV_EFI_VARIABLE_AUTHORITY event. The event data must be formatted as an EFI_VARIABLE_DATA structure with VariableName set to EFI_IMAGE_SECURITY_DATABASEGUID and UnicodeName set to 'db'.
Event ID: 851 Failed to enable Silent Encryption. Error: BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing..
I have seen one online documentation advising to go into RegEdit and change any value data of 0 or 1 and delete these entries. Is this really the only fix or could it break the policies. What about any value with 2?
Microsoft Security | Intune | Enrollment
Microsoft Security | Intune | Other
Microsoft Security | Intune | Other
Other Intune-related topics, including unsupported scenarios and platform-specific behaviors
3 answers
Sort by: Most helpful
-
Juan 5 Reputation points
2024-08-01T23:21:09.1633333+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 42%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
KL 0 Reputation points2026-05-05T14:45:25.7066667+00:00 Which 2 keys? Could you post the actual fix for this?
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Crystal-MSFT 54,306 Reputation points Microsoft External Staff2024-08-02T02:05:23.5066667+00:00 @Juan, Thanks for the update. I am glad the issue is resolved. To help others who have the same issue can find the solution quickly. Please let me write a brief summary:
Issue:
BitLocker encryption shows non-compliant.
In review the device, BitLocker encryption has failed, and local group policy is not set.
Get errors in event log:
Event ID: 834 BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.
Event ID: 778 The BitLocker volume C: was reverted to an unprotected state.
Event ID: 851 Failed to enable Silent Encryption. Error: The Group Policy settings for BitLocker startup options are in conflict and cannot be applied. Contact your system administrator for more information..
Event ID: 835 BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority has invalid structure. The event is expected to be an EV_EFI_VARIABLE_AUTHORITY event. The event data must be formatted as an EFI_VARIABLE_DATA structure with VariableName set to EFI_IMAGE_SECURITY_DATABASEGUID and UnicodeName set to 'db'.
Event ID: 851 Failed to enable Silent Encryption. Error: BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing..
Resolution:
Thanks for your sharing and have a nice day!
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-
Crystal-MSFT 54,306 Reputation points Microsoft External Staff
2024-08-01T01:33:22.3466667+00:00 @Juan, Thanks for posting in Q&A. From your description, I know the device shows non compliant because of BitLocker not enabled. And when we check on the device, it shows there's conflict group policy setting with BitLocker. But when we check the local group policy, we find it is not set there. Please confirm if there's any domain group policy applied to this device. If yes, remove the policy from this device to avoid conflict.
In General, settings in the policy provider registry key will be duplicated into the main BitLocker registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE
If there's mismatch, it will cause issue, we can consider remove these mismatch registry key. To ensure nothing affect, you can backup the registry key before we remove it.
Please try the above suggestion and if there's any update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.